Hi all, I am learning about the Linux kernel, especially the eBPF subsystem, for various observability and networking applications. As a practice, I am developing a simple utility that detects additions and removals of USB devices and performs actions accordingly. For the sake of practicing eBPF, I plan to implement this utility by instrumenting kernel functions with kprobes rather than writing udev rules etc. However, I found it not that easy to find the correct hook points. From the kernel documentation for writing USB device drivers (https://www.kernel.org/doc/html/latest/driver-api/usb/writing_usb_driver.html), I learned that there is a `probe` function and a `disconnect` function provided by a driver (in a `usb_driver` struct, https://github.com/torvalds/linux/blob/e146caf303493c4f2458173d7f1598b76a9b1396/include/linux/usb.h#L1186-L1189) for the kernel to call on additions and removals of USB devices respectively. So I thought finding callers to `probe` and `disconnect` might help; but I did not find such callers, either by searching `.probe(` in the repository or using static analysis provided by an IDE. Is there anything wrong with the methods I am using? How can I find appropriate hook points for USB device additions & removals in the kernel? Or is there an alternative solution using eBPF (such as instrumenting udev with a uprobe)? Thanks in advance. _______________________________________________ Kernelnewbies mailing list Kernelnewbies@xxxxxxxxxxxxxxxxx https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
